Laserfiche WebLink
Security Policies and Procedures <br />VI. Information Classifications and Requirements <br />A. Overview <br />Information is classified by system to ensure that the controls applied to it are <br />sufficient and also to ensure that the controls applied do not impair Virtru's business, <br />ability to compete or Virtru's image. <br />All information must have a classification for security and must have requirements set <br />for business continuity. <br />B. The Security classification process <br />Each information asset will go through the following classification process. Information <br />assets include, but are not limited to: <br />1. IT platforms such as servers and workstations <br />2. IT applications including database transaction processing and email <br />3. Data sets <br />4. Paper copies of information <br />5. Information types typically known to workforce members, such as customer <br />information <br />In general, an information asset includes both the raw information itself (paper, oral or <br />data entry), the location where it resides, the business processes which handle it and <br />the systems and tools that handle it. <br />Information assets will also be reviewed during: <br />1. Development, acquisition or deployment of software <br />2. Connections of computers or networks to outside systems or networks <br />3. Granting of access to any outside organizations <br />The security classification of an information asset is assigned according to the highest <br />of these dimensions. As an example, if an asset is regulated by law, then it needs the <br />highest classification, even if the asset is not critical to the Company's business. <br />C. The classes of information for Security and Privacy <br />This policy applies to all workforce members, management, contractors, vendors, <br />business partners and any other parties who have access to Company or client data. <br />Rev.2015.8.6 <br />16 <br />